Clipperz: online password management

Thanks for the review.

Hacking our servers will be quite useless since Clipperz let you submit confidential information into your browser, but your secrets are locally encrypted by the browser itself before being uploaded to Clipperz. You are not providing Clipperz any data, just a bunch of scrambled bits.

I just wanted to add that you don't really need to trust us, since _all_ Clipperz source code is available from our website along with checksums to verify its integrity. Further instructions about performing a security code review of Clipperz are available here:
http://www.clipperz.com/learn_more/reviewing_the_code

Furthermore we released under a BSD license the core crypto functions, the Clipperz Crypto Library is available here: http://code.google.com/p/clipperz.

So, don't trust us, but check for yourself! :-)
Complete transparency is the only way to go!

Thanks again,
Marco
Clipperz co-founder

PS
Do not forget to try the offline version and the smoothness of "direct logins".

Yeah after taking a look at their website, it is rather ingenious.

So the passwords are encrypted and stored on their website, even if they were "hacked" they wouldn't get the unencrypted information.

Now keeping that in mind and the chart located on http://www.downloadsquad.com/2007/03/27/a-1-second-reminder-why-you-should-use-better-passwords/ using their service you can now pick that 14 character password, use upper & lowercase, use numbers and special characters and then sit back and rest assured that it'll be 150 billion years before someone knows your login info!

Now just watch out for key loggers... =P

About keyloggers: we will soon introduce one-time passphrases. A one-time passphrase works like your regular passphrase, but can be used only once.

If the same passphrase is used again at a later stage in a login attempt it will be rejected and the login process will fail.

Immediately after a successful login, your one-time passphrase will be deleted preventing any fraudulent access.

One-time passwords are an excellent choice if one is concerned about keyloggers or spyware infections that may be collecting data from compromised machines.

It's strongly advisable to use one-time passphrases when accessing Clipperz from public terminals, such as Internet cafes and libraries.

So, in a near future, if you need to access one of your online services from a public terminal:
1. log in to your Clipperz account with a one-time passphrase
2. log in to your online service simply clicking on the related "direct login" link

Enjoy your privacy and security with Clipperz.

Marco
Clipperz co-founder
www.clipperz.com

Don't be so proud of this technological terror you've constructed.

Heh, no seriously, no security expert worth their salt would claim a system is flawless. I don't say this to be inflamatory.

Here's a few thoughts:

A) You said: "You are not providing Clipperz any data, just a bunch of scrambled bits."

Unless I'm mistaken you're being misleading here. Of course the user is providing you with data, it's just that the data has been encrypted. Encrypted data IS reversable with the appropriate key. Moreover, you cannot make any guarantees about when or how an encryption algorithm might be found to be flawed. If whatever algorithm you're using becomes exploited then suddenly your system is in big big trouble. The best you can really say is that your data is "pretty secure" (as in, PGP).

B) Making your source code *open* does not make the system secure. Just thought I'd point that. Even the most popular open projects (apache, mysql, etc) have had plenty of security problems over the years.

C) If the user is storing passwords in your system because they can't remember them, what happens if:

* Your servers are not available due to a denial of service attack or similar.

* Your service is switched off for any reason.

D) It seems to me that having a database of passwords is the kind of thing that's likely to get some extra attention aimed at your servers.

I don't work for Clipperz, and I am certainly not suggesting that any system is flawless or fullproof. But as it were the largest security flaws as of late have been social engineering.

1) clipperz doesn't know your passphrase, they have said that the strength of your account is directly linked to your passphrase. So yes if someone knows your key and login, they will be able to get your data. But thats true of any user/password verification, they aren't claiming biometric security here.

2) PGP uses a few different crypto algorithms if I'm not mistaken, I haven't used it in awhile. But there are some fairly mathmatically proven ways to be as relatively sure your system isn't going to be compromised. Twofish is a good system, there are plenty of others. Lots of unpatented open-source crypto algorithms in fact. If a major widely used AES cypher turns out to be broken, then there are going to be more problems than clipperz website being compromised.

I don't think they are making their source code "open" to make it more secure, they are making it "open" to show there are no backdoors that in fact anyone with some programming knowledge can look at the system and be able to discern what steps are being taken to protect their data.

3) Your last points, one they have an offline option, so you can d/l and use it if you don't have access to the internet. That would also work if you their website was down for some reason.

and your last point, No offense to clipperz, but if a person is able to crack the crypto security that clipperz is using, they should prob be working on some guaranteed information. If they are that good, go hack a govt. system or world bank. Why hack to find out what my password is for playboy.com; there's no guarantee that their time will actually result in some measurable amount of tangible information.

Hello,
PassPack (http://www.passpack.com) is another valid option. We were born in and around the same time, both in Italy. We have slightly different approaches to the same problem. Clipperz targets a more experienced user, while PassPack tries to make it as easy as possible to keep your stuff safe and organized.

With PassPack, should you change your pass phrase, then forget it, we can roll you back to a previous version so all will not be lost.

We're also working on a bookmarklet that should be quite a bit easier to use and more flexible that what's already available. The demo is here, and if you'd like I can let you into the Beta Testing to have a go at it:
http://passpack.wordpress.com/2007/03/22/passpack-auto-login-no-plugin-needed/

Also, PassPack uses a unique anti-phishing pattern - very similar to Yahoo's, but a bit more robust.

Please have a look and let me know what you think.
You can sign up for free at http://www.passpack.com

Cheers,
Tara Kelly

i like the direct-login feature of clipperz - to me this is really the USP, bit tricky to setup but they offer support if you get stuck it seems...